[security-dev] Resteasy authentication
darran.lofthouse at jboss.com
Thu Nov 29 11:13:29 EST 2012
On 11/29/2012 04:00 PM, Bill Burke wrote:
> On 11/28/2012 10:01 AM, Darran Lofthouse wrote:
>> Just catching up on some threads before getting back to some HTTP
>> authentication myself.
>> On 11/26/2012 09:38 PM, Bill Burke wrote:
>>> * Browser-based clients can't negotiate
>> That is not completely true - there is a limited level of negotiation
>> within browsers as HTTP already supports multiple mechanisms
> There's not many protocols that the browser supports for
> WWW-Authenticate challenges. (Basic and Digest?) An SSL connection set
> up to "NEED" a client-cert will force the browser to prompt the user for
> a cert. But this isn't negotiation, its, provide me a cert or you are
> not allowed to connect.
Yes if you are combining the two you need to set it to "WANT", that way
a client can provide it if it can or use username/password auth if it can't.
>> Within AS7 and Remoting for SASL we provide the client with a list of
>> supported mechanism, the client chooses one mechanism - tries to auth,
>> fails and then tries the next mechanism on the list. It is true that
>> this sequence is not possible within HTTP.
>> However for the HTTP authenticators I am currently working instead of
>> sending the client the simple list we send them a response containing a
>> challenge for each supported mechanism - the browser then chooses which
>> mechanism it supports and uses it to respond to the challenge.
> I think browsers can just handle basic and digest auth. That's it. Both
> protocols are not really used for browser-based apps.
Maybe not the MD5 variant but the enhanced variants of Digest could
offer a lot for browser based apps as you potentially gain the addition
of integrity protection - although for that we do need to wait to see if
the RFC is finalised and the browsers implement it.
>>> * client-cert auth is just completely different than other auth
>>> mechanisms as is part of the socket connection set up, and nothing to do
>>> with HTTP
>> Combining client-cert auth with other http mechanisms is more about
>> prioritising the order we make the decisions regarding authenticating so
>> checking if there is a client certificate available on the connection
>> that we can use to authenticate before we make the decision to send the
> This is problematic too for a couple of reasons. YOu can set up your
> socket layer (in JBoss) to NEED a client cert, but unfortunately, this
> will be for *EVERY* web app. If you change SSL to "WANT" client-cert,
> I'm not sure every browser will prompt you for a client cert.
Last time I tried this I did have reasonable coverage of the browsers -
I would need to test again to verify if it applies to all browsers.
> Another thing that sucks is that JBossWeb pretty much requires you to
> plug in a global truststore for client-certs when you configure SSL for
> it. So, you can't have different truststores for different apps and
> have the security domain handle the verification of the client certificate.
Yes that is a general problem as until the connection is established it
is not possible to identify which application is being accessed.
More information about the security-dev